Cisco ASA Series Cli Configuration Manual page 771

Chapter 1 Information About NAT
Figure 1-19
1. IM to 10.2.2.78
Src: 10.1.1.6
10.1.1.6
Src: 10.1.1.6
A. HTTP to
www.example.com
Figure 1-20
(10.2.2.78) accessible over a site-to-site tunnel between ASA1 and ASA2 (San Jose). Because this is a
hairpin connection, you need to enable intra-interface communication, which is also required for
non-split-tunneled Internet-bound traffic from the VPN client. You also need to configure identity NAT
between the VPN client and the Boulder & San Jose networks, just as you would between any networks
connected by VPN to exempt this traffic from outbound NAT rules.
Figure 1-20
10.1.1.6
See the following sample NAT configuration for ASA1 (Boulder):
! Enable hairpin for VPN client traffic:
same-security-traffic permit intra-interface
! Identify local VPN network, & perform object interface PAT when going to Internet:
Interface PAT and Identity NAT for Site-to-Site VPN
2. Identity NAT between NWs connected by VPN
Src: 10.1.1.6
Dst: 10.2.2.78
FW Outside IP: 203.0.113.1
Inside
Boulder
Site-to-Site VPN Tunnel
Firewall1
10.1.1.6
203.0.113.1:6070
B. The firewall performs interface PAT for
outgoing traffic.
shows a VPN client connected to ASA1 (Boulder), with a Telnet request for a server
VPN Client Access to Site-to-Site VPN
2. Firewall decrypts packet; src address is
now local address
209.165.201.10 10.3.3.10
Inside
Boulder
Site-to-Site VPN Tunnel
Firewall1
Src: 10.3.3.10 10.3.3.10
Dst: 10.2.2.78 10.2.2.78
3. Identity NAT between VPN Client &
San Jose NWs; intra-interface config req'd
10.1.1.6
10.2.2.78
Internet
Firewall2
Src: 203.0.113.1:6070
C. HTTP request to www.example.com
1. HTTP request to 10.2.2.78
Src: 209.165.201.10
Internet
Firewall2
Cisco ASA Series CLI Configuration Guide
NAT for VPN
3. IM received
Src: 10.1.1.6
Inside
San Jose
10.2.2.78
www.example.com
VPN Client
209.165.201.10
Inside
San Jose
10.2.2.78
Src: 10.3.3.10
4. HTTP request received
1-25